What is HIPAA?
The Health Insurance Portability
and Accountability Act of 1996 (HIPAA) consists of two Titles. Title I
protects health insurance coverage for workers and their families when they
change or lose their jobs. Title II requires the Department of Health
and Human Services (HHS) to establish national standards for electronic
health care transactions and addresses the security and privacy of health
was first proposed with the simple objective to ensure health insurance
coverage after leaving a job. In addition to these portability
provisions, however, Congress added an Administrative
Simplification section, with the goal of saving money in mind. The
Administrative Simplification section was requested and supported by the health care industry
because it standardized electronic transactions and required standard
record formats, code sets, and identifiers.
Following this standardization effort, Congress
recognized the need to enhance the security and privacy of individually
identifiable health information in all forms. In 1999, Congress
directed the Department of Health and Human Services (DHHS) to develop
privacy and security requirements in accordance with HIPAA's Title II.
What is the Privacy Rule?
The Privacy Rule
is a federal regulation defining administrative steps, policies, and
procedures to safeguard individuals' personal, private health information
(protected health information or PHI).
The Privacy Rule
is designed to empower
patients by guaranteeing them access to their medical records, giving them
more control over how their PHI is used and
disclosed, and providing a clear avenue of recourse if their medical
privacy is compromised. The rule is designed to protect medical records and
other personal health information maintained by certain health care
providers, hospitals, health plans, health insurers and health care
When does the Privacy Rule become
President Bush approved the regulations on April 12,
2001. The official effective date
of the regulations is April 14, 2001.
Covered entities, including hospitals and physicians, have two
(2) years to comply (by April 14, 2003), except for small health plans
which have until April 14, 2004 to comply.
Who must comply with the Privacy Rule?
following types of health care organizations are defined as “covered entities” by the
All health care providers who choose to transmit
certain administrative and financial health information electronically.
may disclose health information to persons or organizations they hire to
perform functions on their behalf (e.g. legal or accounting
services). These "business associates" would not be
permitted, under contractual obligation with the covered entity, to use or
disclose protected health information in ways that would not be permitted
of the covered entity itself.
What information is protected?
rule defines “protected health information” as health information that
identifies an individual and
is maintained or exchanged electronically or in hard copy.
If the information
has any components that could be used to identify a person, it would be
protected. The protection would stay with the information as long as
the information is in the hands of a covered entity or a business
associate. The protections apply to individually identifiable information
in any form, electronic or non-electronic.
The paper progeny of electronic information is covered (i.e. the
information would not lose its protections simply because it is printed out
of a computer), and oral communications are also covered.
Will the Privacy Rule preempt state
Pursuant to the HIPAA law, this rule will preempt state laws that
are in conflict with the regulatory requirements with exceptions for certain
public health functions and related activities. Stronger state laws (e.g. those covering mental health, HIV
infection, and AIDS information) continue to apply. These confidentiality
protections are cumulative; the final rule will set a national “floor” of
privacy standards that protect all Americans. However, certain states have more restrictive privacy
provisions and these more restrictive provisions will continue to apply
providing their citizens with additional protections.
Are all state laws subject to
Privacy Rule preemption?
also carves out certain areas of state authority that are not limited or
invalidated by the provisions of HIPAA: these areas relate to public health
and state regulation of health plans.
In terms of public health for example, Section 160.203(c) of the
regulation states that State law is not preempted if, “The provision of
State law, including State procedures established under such law, as
applicable, provides for the reporting of disease or injury, child abuse,
birth, or death, or for the conduct of public health surveillance,
investigation, or intervention.”